Here is a sample log:
Access_Mask = 0x2
Access_Reasons = -
Accesses = Unknown specific access (bit 1)
Account_Domain =
Account_Name =
ComputerName =
EventCode = 4656
EventCodeDescription = A handle to an object was requested
EventType = 0
Handle_ID = 0x0
Keywords = Audit Success
LogName = Security
Logon_ID = 0x3e7
Message = A handle to an object was requested.
Process Name: C:\Windows\System32\svchost.exe Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: Unknown specific access (bit 1) Access Reasons: - Access Mask: 0x2 Privileges Used for Access Check: - Restricted SID Count: 0
Object_Name = PlugPlaySecurityObject
Object_Server = PlugPlayManager
Object_Type = Security
OpCode = Info
Privileges_Used_for_Access_Check = -
Process_ID = 0x244
Process_Name = C:\Windows\System32\svchost.exe
RecordNumber = 78829788
Restricted_SID_Count = 0
Security_ID = NT AUTHORITY\SYSTEM
SourceName = Microsoft Windows security auditing.
TaskCategory = Other Object Access Events
Transaction_ID = {00000000-0000-0000-0000-000000000000}
Type = Information
action = failure
action_name = login_fail
action_title = Failed Login
dest = AZA2MGTXXSQM001
eventtype = wst_authentication authentication
host =
index = gis_wst
linecount = 37
punct = //::\r=\r=.\r=\r=\r=\r=..\r=\r=\r=\r=\r=_____.\r\r\r\r:
source = WinEventLog:Security
sourcetype = WinEventLog:Security
splunk_server = tag = authentication

I've edited my regex. That should work.

Thanks,

havent used extraction in the search ever, so this is what is my search query:
sourcetype="WinEventLog:Security" | rex _raw "Process Name: (?[^ ]+)" | search sourcetype="WinEventLog:Security" process_name !="c:\Windows\system32\svchost.exe"

and this is what i get:

Error in 'rex' command: The regex '_raw' does not extract anything. It should specify at least one named group. Format: (?...).

sorry the query is this:

sourcetype="WinEventLog:Security" | rex _raw "Process Name: (?[^ ]+)" | search sourcetype="WinEventLog:Security" process_name !="c:\Windows\system32\svchost.exe"

Try this:

sourcetype="WinEventLog:Security" | rex field=_raw "Process Name: (?<process_name>[^ ]+)" | search sourcetype="WinEventLog:Security" process_name !="c:\Windows\system32\svchost.exe"

Here it is what's worked for me:

| rex field=unparsed_message "(?P[A-Za-z]:\[^|]+)" | rex field=fullpath "(?P.)\\." | rex field=fullpath "(?P\w+.\w+)"

Hello, thanks for this. As for sample events so they are pretty much the same in the raw logs I have the fields ProcessName indexed and extracted which is usually the path and the process I am looking for ProcessName= "c:\Windows\system32\svchost.exe". I imagine how I could end up if I had two separate fields for the path and another for the process itself, but at the moment I am struggling while having everything just in one field. The field in the raw logs is always the same as above example. What I am trying to accomplish is to set up some rules to monitor default processes which start in non-default Windows locations.